To enable MS-CHAPv2 as the protocol used between the ASA and the RADIUS server for a VPN connection, password management must be enabled in the tunnel group general attributes. Enabling password management generates an MS-CHAPv2 authentication request from the ASA to the RADIUS server. See the description of the password-management command for details.

If you use double authentication and enable password management in the tunnel group, then the primary and secondary authentication requests include MS-CHAPv2 request attributes. If a RADIUS server does not support MS-CHAPv2, then you can configure that server to send a non-MS-CHAPv2 authentication request by using the no mschapv2-capable command.

User Authorization of VPN Connections

The ASA can use RADIUS servers for user authorization of VPN remote access and firewall cut-through-proxy sessions using dynamic ACLs or ACL names per user. To implement dynamic ACLs, you must configure the RADIUS server to support them. When the user authenticates, the RADIUS server sends a downloadable ACL or ACL name to the ASA. Access to a given service is either permitted or denied by the ACL. The ASA deletes the ACL when the authentication session expires.

In addition to ACLs, the ASA supports many other attributes for authorization and setting of permissions for VPN remote access and firewall cut-through proxy sessions.

Cisco VSA (Cisco-Priv-Level), which provides a standard 0-15 numeric ranking of privileges, with 1 being the lowest level and 15 being the highest level. A zero level indicates no privileges. The first level (login) allows privileged EXEC access for the commands available at this level. The second level (enable) allows CLI configuration privileges.

Supported RADIUS Authorization Attributes

Authorization refers to the process of enforcing
permissions or attributes. A RADIUS server defined as an authentication server
enforces permissions or attributes if they are configured. These attributes
have vendor ID 3076.

The following table lists the supported RADIUS
attributes that can be used for user authorization.

Note

RADIUS attribute names do not contain the
cVPN3000 prefix. Cisco Secure ACS 4.x supports this new nomenclature, but
attribute names in pre-4.0 ACS releases still include the cVPN3000 prefix. The
ASAs enforce the RADIUS attributes based on attribute numeric ID, not attribute
name.

All attributes listed in the following table are
downstream attributes that are sent from the RADIUS server to the ASA except
for the following attribute numbers: 146, 150, 151, and 152. These attribute
numbers are upstream attributes that are sent from the ASA to the RADIUS
server. RADIUS attributes 146 and 150 are sent from the ASA to the RADIUS
server for authentication and authorization requests. All four previously
listed attributes are sent from the ASA to the RADIUS server for accounting
start, interim-update, and stop requests. Upstream RADIUS attributes 146, 150,
151, and 152 were introduced in Version 8.4(3).

Cisco ACS 5.x and Cisco ISE do not support IPv6
framed IP addresses for IP address assignment using RADIUS authentication in
Version 9.0(1).

This text replaces the default string,
“Application Access,” on the clientless portal home page.

WebVPN-Post-Max-Size

Y

159

Integer

Single

0x7fffffff

WebVPN-Session-Timeout-Alert-Interval

Y

149

Integer

Single

0-30. 0 = Disabled.

WebVPN Smart-Card-Removal-Disconnect

Y

225

Boolean

Single

0 = Disabled 1 = Enabled

WebVPN-Smart-Tunnel

Y

136

String

Single

Name of a Smart Tunnel

WebVPN-Smart-Tunnel-Auto-Sign-On

Y

139

String

Single

Name of a Smart Tunnel auto sign-on list
appended by the domain name

WebVPN-Smart-Tunnel-Auto-Start

Y

138

Integer

Single

0 = Disabled 1 = Enabled 2 = Auto Start

WebVPN-Smart-Tunnel-Tunnel-Policy

Y

227

String

Single

One of “e networkname,” “i networkname,”
or “a,” where networkname is the name of a Smart Tunnel network list, e
indicates the tunnel excluded, i indicates the tunnel specified, and a
indicates all tunnels.

WebVPN-SSL-VPN-Client-Enable

Y

103

Integer

Single

0 = Disabled 1 = Enabled

WebVPN-SSL-VPN-Client-Keep- Installation

Y

105

Integer

Single

0 = Disabled 1 = Enabled

WebVPN-SSL-VPN-Client-Required

Y

104

Integer

Single

0 = Disabled 1 = Enabled

WebVPN-SSO-Server-Name

Y

114

String

Single

Valid string

WebVPN-Storage-Key

Y

162

String

Single

WebVPN-Storage-Objects

Y

161

String

Single

WebVPN-SVC-Keepalive-Frequency

Y

107

Integer

Single

15-600 seconds, 0=Off

WebVPN-SVC-Client-DPD-Frequency

Y

108

Integer

Single

5-3600 seconds, 0=Off

WebVPN-SVC-DTLS-Enable

Y

123

Integer

Single

0 = Disabled 1 = Enabled

WebVPN-SVC-DTLS-MTU

Y

125

Integer

Single

MTU value is from 256-1406 bytes.

WebVPN-SVC-Gateway-DPD-Frequency

Y

109

Integer

Single

5-3600 seconds, 0=Off

WebVPN-SVC-Rekey-Time

Y

110

Integer

Single

4-10080 minutes, 0=Off

WebVPN-SVC-Rekey-Method

Y

111

Integer

Single

0 (Off), 1 (SSL), 2 (New Tunnel)

WebVPN-SVC-Compression

Y

112

Integer

Single

0 (Off), 1 (Deflate Compression)

WebVPN-UNIX-Group-ID (GID)

Y

222

Integer

Single

Valid UNIX group IDs

WebVPN-UNIX-User-ID (UIDs)

Y

221

Integer

Single

Valid UNIX user IDs

WebVPN-Upload-Max-Size

Y

158

Integer

Single

0x7fffffff

WebVPN-URL-Entry-Enable

Y

93

Integer

Single

0 = Disabled 1 = Enabled

WebVPN-URL-List

Y

71

String

Single

URL list name

WebVPN-User-Storage

Y

160

String

Single

WebVPN-VDI

Y

163

String

Single

List of settings

Supported IETF RADIUS Authorization Attributes

The following table lists the supported IETF
RADIUS attributes.

Table 2 Supported IETF RADIUS Attributes

Attribute Name

ASA

Attr. No.

Syntax/Type

Single or Multi- Valued

Description or Value

IETF-Radius-Class

Y

25

Single

For Versions 8.2.x and later, we recommend
that you use the Group-Policy attribute (VSA 3076, #25):

group policy
name

OU=group
policy name

OU=group
policy name

IETF-Radius-Filter-Id

Y

11

String

Single

ACL name that is defined on the ASA, which
applies only to full tunnel IPsec and SSL VPN clients.

IETF-Radius-Framed-IP-Address

Y

n/a

String

Single

An IP address

IETF-Radius-Framed-IP-Netmask

Y

n/a

String

Single

An IP address mask

IETF-Radius-Idle-Timeout

Y

28

Integer

Single

Seconds

IETF-Radius-Service-Type

Y

6

Integer

Single

Seconds. Possible Service Type values:

.Administrative—User is allowed access
to the configure prompt.

.NAS-Prompt—User is allowed access to
the exec prompt.

.remote-access—User is allowed network
access

IETF-Radius-Session-Timeout

Y

27

Integer

Single

Seconds

RADIUS Accounting Disconnect Reason Codes

These codes are returned if the ASA encounters a
disconnect when sending packets:

Disconnect Reason Code

ACCT_DISC_USER_REQ = 1

ACCT_DISC_LOST_CARRIER = 2

ACCT_DISC_LOST_SERVICE = 3

ACCT_DISC_IDLE_TIMEOUT = 4

ACCT_DISC_SESS_TIMEOUT = 5

ACCT_DISC_ADMIN_RESET = 6

ACCT_DISC_ADMIN_REBOOT = 7

ACCT_DISC_PORT_ERROR = 8

ACCT_DISC_NAS_ERROR = 9

ACCT_DISC_NAS_REQUEST = 10

ACCT_DISC_NAS_REBOOT = 11

ACCT_DISC_PORT_UNNEEDED = 12

ACCT_DISC_PORT_PREEMPTED = 13

ACCT_DISC_PORT_SUSPENDED = 14

ACCT_DISC_SERV_UNAVAIL = 15

ACCT_DISC_CALLBACK = 16

ACCT_DISC_USER_ERROR = 17

ACCT_DISC_HOST_REQUEST = 18

ACCT_DISC_ADMIN_SHUTDOWN = 19

ACCT_DISC_SA_EXPIRED = 21

ACCT_DISC_MAX_REASONS = 22

Guidelines for RADIUS Servers for AAA

This section describes the guidelines and limitations that you should check before configuring RADIUS servers for AAA.

IPv6

The AAA server must use an IPv4 address, but endpoints can use IPv6.

Additional Guidelines

You can have up to 100 server groups in single mode or 4 server groups per context in multiple mode.

Each group can have up to 16 servers in single mode or 4 servers in multiple mode.

Configure RADIUS Servers for AAA

This section describes how to configure RADIUS
servers for AAA.

Procedure

Step 1

Load the ASA attributes into the RADIUS
server. The method that you use to load the attributes depends on which type of
RADIUS server that you are using:

If you are using Cisco ACS: the server
already has these attributes integrated. You can skip this step.

For RADIUS servers from other vendors
(for example, Microsoft Internet Authentication Service): you must manually
define each ASA attribute. To define an attribute, use the attribute name or
number, type, value, and vendor code (3076).

Configure RADIUS
Server Groups

If you want to use an external RADIUS server for authentication,
authorization, or accounting, you must first create at least one RADIUS server
group per AAA protocol and add one or more servers to each group.

Configure the method (Reactivation Mode)
by which failed servers in a group are reactivated.

Depletion,
Dead Time—Reactivate failed servers only
after all of the servers in the group are inactive. This is the default
reactivation mode. Specify the amount of time, between 0 and 1440 minutes, that
elapses between the disabling of the last server in the group and the
subsequent reenabling of all servers. The default is 10 minutes.

Timed—Reactivate failed servers after
30 seconds of down time.

Step 7

In
Max Failed Attempts, specify the maximum
number of requests sent to a RADIUS server in the group before trying the next
server.

The range is from 1 and 5. The default is 3.

If you configure a fallback method using the local database (for
management access only), and all the servers in the group fail to respond, then
the group is considered to be unresponsive, and the fallback method is tried.
The server group remains marked as unresponsive for a period of 10 minutes (if
you use the default reactivation mode and dead time), so that additional AAA
requests within that period do not attempt to contact the server group, and the
fallback method is used immediately. To change the unresponsive period from the
default, see change the
Dead Time.

If you do not have a fallback method, the ASA continues to retry
the servers in the group.

These options are relevant only if you are using this server group
for AnyConnect or clientless SSL VPN.

Enable interim accounting update—If you
use this command without selecting the
Update Interval option, the ASA sends
interim-accounting-update messages only when a VPN tunnel connection is added
to a clientless VPN session. When this happens the accounting update is
generated in order to inform the RADIUS server of the newly assigned IP
address.

Update Interval—Enables the periodic
generation and transmission of accounting records for every VPN session that is
configured to send accounting records to the server group in question. You can
change the interval, in hours, for sending these updates. The default is 24
hours, the range is 1 to 120.

Note

For server groups containing ISE servers, select both options.
ISE maintains a directory of active sessions based on the accounting records
that it receives from NAS devices like the ASA. However, if ISE does not
receive any indication that the session is still active (accounting message or
posture transactions) for a period of 5 days, it will remove the session record
from its database. To ensure that long-lived VPN connections are not removed,
configure the group to send periodic interim-accounting-update messages to ISE
for all active sessions.

CDA or AD Agents are used in identity firewall, and are not
full-featured RADIUS servers. If you select this option, you can use this group
for identity firewall purposes only.

Step 10

(Optional) If you are using this server group for ISE Policy
Enforcement in remote access VPN, configure the following options:

Enable dynamic authorization—Enable the
RADIUS Dynamic Authorization (ISE Change of Authorization, CoA) services for
the AAA server group. When you use the server group in a VPN tunnel, the RADIUS
server group will be registered for CoA notification and the ASA will listen to
the port for the CoA policy updates from ISE. Enable dynamic authorization only
if you are using this server group in a remote access VPN in conjunction with
ISE.

Dynamic Authorization Port—If you
enable dynamic authorization, you can specify the listening port for RADIUS CoA
requests. The default is 1700. The valid range is 1024 to 65535.

Use authorization only mode—If you do
not want to use ISE for authentication, enable authorize-only mode for the
RADIUS server group. This indicates that when this server group is used for
authorization, the RADIUS Access Request message will be built as an “Authorize
Only” request as opposed to the configured password methods defined for the AAA
server. If you do configure a common password for the RADIUS server, it will be
ignored.

For example, you would use authorize-only mode if you want to
use certificates for authentication rather than this server group. You would
still use this server group for authorization and accounting in the VPN tunnel.

Step 11

(Optional.) Configure the
VPN3K Compatibility Option to specify whether
or not a downloadable ACL received from a RADIUS packet should be merged with a
Cisco AV pair ACL.

This option applies only to VPN connections. For VPN users, ACLs
can be in the form of Cisco AV pair ACLs, downloadable ACLs, and an ACL that is
configured on the ASA. This option determines whether or not the downloadable
ACL and the AV pair ACL are merged, and does not apply to any ACLs configured
on the ASA.

Do not merge
—Downloadable ACLs will not be merged with Cisco AV
pair ACLs. If both an AV pair and a downloadable ACL are received, the AV pair
has priority and is used. This is the default option.

Place the downloadable ACL after Cisco AV-pair
ACL

Place the downloadable ACL before Cisco AV-pair
ACL

Step 12

Click
OK.

The
Add
AAA Server Group dialog box closes, and the new server group is
added to the
AAA
Server Groups table.

Step 13

Click
Apply to save the changes to the running
configuration.

Add a RADIUS Server
to a Group

To add a RADIUS server to a group, perform the following steps:

Procedure

Step 1

Choose
Configuration >
Device Management >
Users/AAA >
AAA Server Groups, and in the
AAA Server Groups area, click the server group to
which you want to add a server.

Step 2

Click
Add in the
Servers in the Selected Group area (lower pane).

The
Add
AAA Server Group dialog box appears for the server group.

Step 3

Choose the interface name on which the authentication server
resides.

Step 4

Add either a server name or IP address for the server that you
are adding to the group.

Step 5

Add a timeout value or keep the default. The timeout is the
length of time, in seconds, that the ASA waits for a response from the primary
server before sending the request to the backup server.

Step 6

Specify how you want the ASA to handle netmasks received in
downloadable ACLs. Choose from the following options:

Detect automatically—The ASA attempts to determine
the type of netmask expression used. If the ASA detects a wildcard netmask
expression, the ASA converts it to a standard netmask expression.

Note

Because some wildcard expressions are difficult to detect
clearly, this setting may misinterpret a wildcard netmask expression as a
standard netmask expression.

Standard—The ASA assumes downloadable ACLs received
from the RADIUS server contain only standard netmask expressions. No
translation from wildcard netmask expressions is performed.

Wildcard—The ASA assumes downloadable ACLs received
from the RADIUS server contain only wildcard netmask expressions, and it
converts them all to standard netmask expressions when the ACLs are downloaded.

Step 7

Specify a case-sensitive password that is common among users who
access this RADIUS authorization server through this ASA. Be sure to provide
this information to your RADIUS server administrator.

Note

For an authentication RADIUS server (rather than authorization),
do not configure a common password.

If you leave this field blank, the username is the password for
accessing this RADIUS authorization server.

Never use a RADIUS authorization server for authentication.
Common passwords or usernames as passwords are less secure than assigning
unique user passwords.

Although the password is required by the RADIUS protocol and the
RADIUS server, users do not need to know it.

Step 8

If you use double authentication and enable password management
in the tunnel group, then the primary and secondary authentication requests
include MS-CHAPv2 request attributes. If a RADIUS server does not support
MS-CHAPv2, then you can configure that server to send a non-MS-CHAPv2
authentication request by unchecking this check box.

Step 9

Specify the length of time, from 1 to 10 seconds, that the ASA
waits between attempts to contact the server.

Note

The interval between subsequent retries will be always 50ms or
100ms, regardless of the retry-interval settings you have entered. This is the
intended behavior.

Step 10

Click
Simultaneous or
Single.

In Single mode, the ASA sends accounting data to only one
server.

In Simultaneous mode, the ASA sends accounting data to all
servers in the group.

Step 11

Specify the server port to be used for accounting of users. The
default port is 1646.

Step 12

Specify the server port to be used for authentication of users.
The default port is 1645.

Step 13

Specify the shared secret key used to authenticate the RADIUS
server to the ASA. The server secret that you configure should match the one
configured on the RADIUS server. If you do not know the server secret, ask the
RADIUS server administrator. The maximum field length is 64 characters.

Step 14

Click
OK.

The
Add
AAA Server Group dialog box closes, and the AAA server is added to
the AAA server group.

Step 15

In the
AAA Server Groups pane, click
Apply to save the changes to the running
configuration.

Add an
Authentication Prompt

You can specify the AAA challenge text for HTTP, FTP, and Telnet
access through the ASA when requiring user authentication from RADIUS servers.
This text is primarily for cosmetic purposes and appears above the username and
password prompts that users see when they log in. If you do not specify an
authentication prompt, users see the following when authenticating with a
RADIUS server:

If the user authentication occurs from Telnet, you can use the
User accepted message and
User rejected message options to display
different status prompts to indicate that the authentication attempt is either
accepted or rejected by the RADIUS server.

If the RADIUS server authenticates the user, the ASA displays
the
User accepted message text, if specified, to
the user; otherwise, the ASA displays the
User rejected message text, if specified.
Authentication of HTTP and FTP sessions displays only the challenge text at the
prompt. The
User accepted message and
User rejected message text are not
displayed.

Step 4

Click
Apply to save the changes to the running
configuration.

Test RADIUS Server
Authentication and Authorization

To determine whether the ASA can contact a RADIUS server and
authenticate or authorize a user, perform the following steps:

Key vendor-specific attributes (VSAs)
sent in RADIUS access request and accounting request packets from the ASA

8.4(3)

Four New VSAs—Tunnel Group Name (146)
and Client Type (150) are sent in RADIUS access request packets from the ASA.
Session Type (151) and Session Subtype (152) are sent in RADIUS accounting
request packets from the ASA. All four attributes are sent for all accounting
request packet types: Start, Interim-Update, and Stop. The RADIUS server (for
example, ACS and ISE) can then enforce authorization and policy attributes or
use them for accounting and billing purposes.